Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Trouble Shooting Help Needed

    General pfSense Questions
    4
    10
    2359
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kiekar last edited by

      Hello,

      I've been having an issue updating my Kaspersky Database a little while now. The database is no longer updating. I'm on the latest version of pfSense and all latest packages updates. I viewed the Real Time access logs and noticed these entries.

      1458484291.075    39 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-18.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.202 text/html
      1458484297.498    12 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3704 GET http://dnl-04.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/4.28.136.36 text/html
      1458484304.137    102 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-17.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.199 text/html
      1458484310.421    13 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-10.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.116 text/html
      1458484316.922    231 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-14.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.196 text/html
      1458484323.204    12 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-11.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.116 text/html
      1458484329.582    103 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-16.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.253 text/html
      1458484335.893    13 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-07.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.125 text/html
      1458484342.272    112 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-12.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.253 text/html
      1458484348.786    112 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-09.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.119 text/html
      1458484355.265    39 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-15.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.196 text/html
      1458484361.658    122 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-13.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.202 text/html
      1458484367.944    13 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3704 GET http://dnl-01.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/4.28.136.42 text/html
      1458484377.578    270 192.168.2.182 TCP_MISS/503 3727 GET http://downloads6.kaspersky-labs.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.253 text/html
      1458484603.675    892 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3719 GET http://dnl-07.geo.kaspersky.com/updaters/updater.xml.dif - ORIGINAL_DST/38.124.168.116 text/html

      I'm not sure on how to configure pfSense to allow the connection to update my anti virus data base. Your help would be much appreciated.

      1 Reply Last reply Reply Quote 0
      • H
        heper last edited by

        real time access logs of what? proxy ? try to disable it

        1 Reply Last reply Reply Quote 0
        • K
          kiekar last edited by

          what? proxy

          I'm using Squid3 0.4.7. Disabling it doesn't work.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            are you using it explicit or implicit mode?  What are you rules on this network interface?  If you point a client to a proxy and then turn off the proxy, then yeah no shit not going to work.. If you use transparent and have rules to intercept traffic and only allow your proxy port again turning of the proxy is not going to work..

            1 Reply Last reply Reply Quote 0
            • K
              kiekar last edited by

              I have squid set as transparent mode. Out bound is also blocked.


              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                So you have a floating rule blocking outbound traffic on your wan?  OR you have snort installed doing it?

                1 Reply Last reply Reply Quote 0
                • M
                  mer last edited by

                  With no packages and default rules on a pfSense box, Kaspersky IS updates just fine for me.

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    You can see from what he posted he has a outbound rule setup on his WAN that is blocking traffic to port 80.  If he would turn on listing the rule description in the log settings could tell you exactly which rule it is.  The only place you can set outbound rules in the floating tab.. So post up your floating tab so we can see the rules.


                    1 Reply Last reply Reply Quote 0
                    • K
                      kiekar last edited by

                      I do have one floating rule which was auto generated from pfBlockerNG. I did change the settings for firewall logs which I was never aware of which pointed me to SNORT

                      Mar 20 16:48:58 Direction=OUT WAN Block snort2c hosts (1000000118) Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List xx.xxx.xxx.xxx:56894 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 38.124.168.116:80 TCP:S

                      I did check SNORT before but I couldn't see any of the IPs logged on the Alert Tab and Blocked Tab.

                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        I really really wish they would be very large bold letter caveats when installing tools like pfblocker and for sure snort and even the proxy - that lack of understanding will BREAK your shit ;) hehehe

                        Snort can take quite a bit of tweaking of the rules before it is of anything other than log noise generation tool… Putting it into block mode before you have spent the required time tweaking the rule set to weed out noise, etc.. is just asking for shit to break..

                        While I like the idea of pfblocker, it too is a very quick and easy way to break shit when you don't understand its actual use.. Letting it auto create rules if you ask me is a REALLY BAD idea..  If you want to use it to block countries IP ranges, and or remove ads then use the rules in alias mode and place the specific rules you want.

                        In general letting stuff block stuff for you automatically is going to lead to shit not working, and you not understanding why..

                        As to the proxy, unless you have a bunch of puberty  age boys that your trying to block from porn ville it serves little use in anything other than a corp environment.. And just another thing that could break your shit for very little added benefit..

                        1 Reply Last reply Reply Quote 0

                        Products

                        • Platform Overview
                        • TNSR
                        • pfSense
                        • Appliances

                        Services

                        • Training
                        • Professional Services

                        Support

                        • Subscription Plans
                        • Contact Support
                        • Product Lifecycle
                        • Documentation

                        News

                        • Media Coverage
                        • Press
                        • Events

                        Resources

                        • Blog
                        • FAQ
                        • Find a Partner
                        • Resource Library
                        • Security Information

                        Company

                        • About Us
                        • Careers
                        • Partners
                        • Contact Us
                        • Legal
                        Our Mission

                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                        Subscribe to our Newsletter

                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                        © 2020 Rubicon Communications, LLC | Privacy Policy